Scripting with OWASP ZAP

Insider, DAST, tooling
Praveen K | June 04, 2019
Zaproxy_Blog-Image

 


At we45, we’re huge advocates of leveraging automation to hasten the bulk of application security testing. Integrating security tools into the continuous development cycle can help early finding and fixing of security issues.

There are many security tools out there which can help you speed up security testing and help identify vulnerabilities in your applications. But there exists a class of vulnerabilities, linked to an application’s functionality which can be hard for a security tool to pick up. But what if you could modify your security tool and augment it’s capabilities to identify such specific vulnerabilities.

In this article, we will be looking at how we can modify the functionality of the OWASP Zed Attack Proxy(ZAP), which is one of the most widely used open source security tools.

Why ZAP?

ZAP is an open source tool which is completely free and is very widely used by security professionals for automated scanning of security vulnerabilities. The tool is also used for manual penetration tests, and boasts of industry-best features and a large support community(where you can find scripts, plugins, add-ons and other goodies). The tool also has an API which is very well defined and documented making it seamless to problematically access the features of ZAP.

Why Scripting?

We know that ZAP is an open source tool, but it will be difficult to actually make changes to the core zap and recompile it the code to include a feature based on a very specific requirement you may have.

ZAP has a scripting engine which can be used to modify its functionalities and extend its features through a simple interface. ZAP provides us with the ability to write and develop different types of scripts within the tool itself. ZAP can access all the internal data structures including objects and methods. It supports any scripting language that supports JSR 223 which include ECMAScript / Javascript, Zest, Groovy, Python, Ruby and many others

webhooks - screenshot-1

Scripts tree tab and The Script Console tab

Script Console Tab

This tab is used to write scripts which can be run within ZAP and also has a debug area which also displays error messages. It also provides a basic autocomplete feature which assists with the methods available associated to an object.

The Scripts tree tab

This tab consists of a tree of all the scripts organized based on its type. While creating a new script, it also gives an option to create a template which gives a basic structure of the type of script. The scripts can be saved as a file and loaded and also enabled/disabled/removed whenever needed.

These scripts are categorized based on the specific functionality of the scripts. The different categories of scripts are:

Stand Alone - These scripts are scripts which have a very specific functionality and are run only when initiated manually.

Targeted - These scripts are similar to Standalone scripts, but can be run on a specific set of URLs from the site tree. This scripts can be run on a subset of all the URLs in the application. This script can be run by right-clicking on the site tree and the script is invoked and runs only on the specified target.

Proxy - Scripts that will run against the msg that is being proxied through ZAP. These scripts can be used to replace a part of the request or response as the msg is being sent.

HTTP Sender - A proxy script will run only on the messages passing through the proxy, the HTTP sender will run on all request/response sent/received by ZAP.

Passive scan Rule - Passive scan scripts are scripts that would be run as part of a passive scan. The passive scan runs as soon as messages are proxied through ZAP. The passive scan does not make any request and only performs a static scan of all the messages captured by ZAP.

Active Scan rule - Active Scan Scripts are scripts that would be run whenever an active scan is initiated. These are scripts which would send requests to the application with malicious content as part of the request to find vulnerabilities.

Authentication Scripts - Authentication can be done using scripts to automate the authentication process. Once these scripts are written, can be included as part of a context as a method of authentication into an application with different users with different privileges.

Sequence Scripts - Sequence scripts are used to simulate an ordered set of actions. This could be accessing certain pages in a specific order and performing certain actions in the pages.

A sequence script can be given as an input while initiating an active scan to scan only the requests part of the sequence. This can be accessed in the sequence tab when the 'Show advanced options' is selected.

Script Input Vectors --These scripts allow us to specify custom input vectors that can be used to attack during active scans. We can extract the parameters from the HTTP requests and set the new value (attack) of the parameter when called by the scanners during the active scan.

Useful Modules - ZAP Scripting with Python(Jython)

The below objects and methods are some of the most useful objects while writing scripts in ZAP.

msg
   #the message object that is acted upon to parse/manipulate

msg.getRequestHeader()
   #Request Header Object

msg.getRequestHeader().getURI()
   #fetches the URI from the request header

msg.getRequestBody()
   #Fetches the request body from the request

msg.getResponseBody()
   #Fetches the request body from the request

msg.setRequestBody()
   #Sets a different request body from the one in the original request

Passive Scan Rule script example:

We know passive scan will perform a static analysis of the request and responses.we may have a specific test case which might not part of the ZAP passive scan engine. One such example would be to search for any sensitive information that we may have exposed on the client side. we can write a custom passive test case for this to look for such patterns. The below script is to actually look for AWS secrets that might be exposed on the client side.

Passive Scan Rule script

The script will look for the pattern "awsKeyId=","secretAccessKey=" on the client side. We could change the “searchlist” parameter to identify any pattern that may be sensitive in your application.

Active Scan Rule Script Example

ZAP has a very extensive RULE Engine for the Active scans. But what if you have a vulnerability that ZAP is not checking we can write a custom script for identifying such vulnerabilities in our application. In the below script we will see how we can write a script to identify vulnerability in the way JWT tokens are handled by certain libraries.

JSON Web Token is a JSON-based open standard (RFC 7519) for creating access tokens that assert some number of claims. The Token is Base64 Encoded and will have three parts when decoded. The Header, Payload and the Signature to verify the integrity of the token.

JSON Web Token

Decoded JWT token

The Header has an “alg” parameter which is used to specify the algorithm used to generate the signature which may be HS256 (HMAC with SHA-256)  and RS256 (RSA signature with SHA-256). Interestingly the “alg” parameter also accepts the value “none”, which is used when the integrity of the token has already been verified.

Some libraries treat tokens signed with the “none” algorithm as a valid token with a verified signature. An Attacker may leverage this vulnerability to create his/her own "signed" tokens with whatever payload they want, allowing the attacker to get access resources with an invalid token.

So to test this we need to send a token with “alg” as "none" and check if the server is honoring the token.

 

JSON Script 1-1

JSON Script 2-1

ZEST Scripts

Zest is a language developed by the Mozilla security team. ZAP has an addon for Zest that is included by default as part of the tool. Zest scripts are intended to be written using graphical interfaces making it easy to develop these scripts.

Zest script can be recorded by clicking on the "record new zest script" button in the toolbar in ZAP as shown in the image below.

1_zap_script_record

When we click on the record button, we will be prompted with a tab in which we can set the parameters related to the zest script. we can choose the type of script that we intend to record (stand alone, sequence or an authentication script). Once we start recording, the messages proxied through ZAP will be transformed to the Zest script is JSON format as shown in the image below.

2_zap_script_record

The zest script can be edited by right clicking on the request in the script tab and add statements such as loops, assertions or conditions. Zest can be used to generate scripts which could be used to perform actions such as authentication, traversal of a web application or validate existence of manually found vulnerabilities.

Community Script

The community script link below has a large number of scripts of different types which can be used provided by the community

The scripting aspects of ZAP that we have discussed opens up limitless possibilities in terms of the changes you may want to make to the tool which makes extremely flexible.